The Impossible Bridge: Wiring Cisco ThousandEyes into Microsoft Power Platform, Defender XDR & Cisco XDR
The Impossible Bridge:
Wiring Cisco ThousandEyes into Microsoft Power Platform, Defender XDR & Cisco XDR
The world's first and only custom connector linking network observability to the Microsoft AI stack and both XDR platforms.
Works with ThousandEyes deployed anywhere — AWS, Azure, on-prem. Zero inbound firewall rules. Zero VPNs. Zero compromises.
One custom connector. Four enterprise platforms. Cisco ThousandEyes telemetry flows through Microsoft Power Platform into Defender XDR and Cisco XDR — with Enterprise Agents deployed in AWS, Azure, or on-prem. This integration has never existed until now.
It's Tuesday morning, 9:47 AM. A senior network engineer at the bank — let's call him David — opens 14 browser tabs to investigate why the wire transfer service is throwing intermittent 502s. ThousandEyes in one tab. ServiceNow in another. Splunk. Teams. The change calendar. A spreadsheet of test IDs. He pivots between them for 40 minutes before finding the answer: a BGP route flap in Frankfurt knocked out the secondary path two hours ago.
David is a brilliant engineer. He shouldn't be a human router between five SaaS tools at 9 AM. And by Sunday night, he wasn't.
Skip my 11 cliffs. Download the whole thing now.
The simulator, the connector YAML, the beginner guide, and every Power Automate template — MIT licensed, production-tested, free forever. No signup. No email gate. No newsletter. Just clone, run, ship.
What I built
A Microsoft Power Platform custom connector for Cisco ThousandEyes. The first one. Anywhere. 30 read-and-write operations exposing the entire ThousandEyes v7 API — agents, tests, alerts, BGP monitors, Internet Insights, dashboards — directly accessible from Power Automate flows, Power Apps screens, and Copilot Studio agents in natural language.
And the same connector pipes telemetry into Microsoft Defender XDR and Cisco XDR for security correlation. ThousandEyes detects the network anomaly. Power Automate enriches it. XDR correlates with identity, endpoint, and threat-intel signals. This is the SOC of 2026.
Now David doesn't pivot between five tools. He types in Microsoft Teams:
Internet Insights confirms a network outage at provider DE-CIX starting 07:21 UTC, ETA 30 min. Defender XDR shows no correlated identity or endpoint anomalies — this is purely upstream network.
Recommended action: No action — the issue is upstream, traffic is rerouting cleanly, customer impact is sub-200ms latency. Notify status page if outage exceeds 1 hour.
40 minutes of war-room investigation → 4 seconds in Teams.
The shocking gap I discovered
I started this project with a simple assumption: "Microsoft has a connector for everything. There must already be one for ThousandEyes."
Then I checked.
| Where I Looked | What I Found |
|---|---|
| Microsoft's official connector catalog | ❌ Nothing for ThousandEyes |
| Independent Publisher connectors | ❌ Nothing |
| Power Platform community repos on GitHub | ❌ Nothing |
| Cisco DevNet Power Platform examples | ❌ Nothing |
| Power Users community forum | ❌ Unanswered "is there a connector?" posts since 2022 |
| Cisco XDR + Microsoft Defender XDR integration kits | ❌ Direct ThousandEyes feeds: none |
So I built it.
The architecture: one connector, anywhere your agents live
Here's the part most blog posts skip: ThousandEyes Enterprise Agents can run in AWS, Azure, on-prem, or as Docker containers. The custom connector works with all of them — because it doesn't talk to the agents directly.
How to wire up agents deployed in AWS, Azure, and on-prem
The connector itself works the moment you import the YAML. But for your agents to feed data into ThousandEyes Cloud — and therefore be visible via the connector — here's what each deployment needs.
Enterprise Agent in AWS
- Image: Marketplace AMI
thousandeyes-enterprise-agentor container on ECS/EKS - Instance: t3.small (2 vCPU, 2 GB RAM) for most use cases
- VPC: Any subnet with NAT or IGW for outbound HTTPS
- Security Group: Outbound 443 to internet only — no inbound rules needed
- IAM: No IAM needed (agent uses its own ThousandEyes account binding)
- Cost: ~$15/month per agent on AWS
Enterprise Agent in Azure
- Image: Marketplace VM
Cisco ThousandEyes Enterprise Agentor container on AKS - Size: Standard_B2s (2 vCPU, 4 GB RAM)
- VNet: Any subnet with outbound NAT
- NSG: Outbound TCP 443 to
*.thousandeyes.com - Private Link: Supported if you must keep traffic off public internet
- Cost: ~$14/month per agent in Azure
Enterprise Agent on-prem
- Form factor: VMware OVA, Hyper-V VHDX, Docker container, physical appliance
- Sizing: 2 vCPU, 2 GB RAM minimum
- Network: Outbound HTTPS 443 to internet via proxy or direct
- Firewall: Allow outbound to ThousandEyes IPs (see table below)
- Proxy: HTTP/SOCKS proxies fully supported
- Cost: Included with ThousandEyes subscription
🔥 Firewall ports: the table your network team needs
This is the table I had to compile from three different Cisco docs. Save this — it's the exact allowlist your network team will ask for.
| From | To | Port | Purpose |
|---|---|---|---|
| Enterprise Agent (AWS/Azure/on-prem) | data.thousandeyes.com | TCP 443 | Test results upload |
| Enterprise Agent | agents.thousandeyes.com | TCP 443 | Agent registration & config pull |
| Enterprise Agent | app.thousandeyes.com | TCP 443 | OAuth + management |
| Enterprise Agent | scribe.thousandeyes.com | TCP 443 | Agent diagnostics & logs |
| Enterprise Agent | NTP (any public NTP) | UDP 123 | Time sync — critical for valid test timestamps |
| Enterprise Agent | DNS (your resolver) | UDP/TCP 53 | Name resolution |
| Power Platform | api.thousandeyes.com | TCP 443 | Custom connector API calls (production) |
| On-prem gateway (lab) | *.servicebus.windows.net | TCP 443 | Azure Service Bus relay (gateway only) |
| On-prem gateway (lab) | login.microsoftonline.com | TCP 443 | M365 auth (gateway only) |
Production proof: real 200 OK responses from Power Platform
Most "I built a connector" blog posts stop at architecture diagrams. I'm going to show you the actual responses. Below are real screenshots from Power Platform's connector test harness, hitting the live solution, with schema validation enabled.
ListSuppressionWindows → HTTP 200 OK
The connector retrieved a "Sunday Maintenance" suppression window (Weekly 2-hour maintenance, starts 2026-05-17 02:00 UTC, ends 04:00 UTC, recurrence WEEKLY, enabled: true). The schema validator parsed every field against the OpenAPI 2.0 contract — this is what production-grade looks like. No hand-rolled HTTP actions. No regex parsing. The connector is doing the heavy lifting and Power Platform is treating it as a first-class citizen.
ListBgpMonitors → HTTP 200 OK
The connector retrieved BGP monitors including
Equinix Ashburn (AS6461) at 206.126.236.21 and PCCW Singapore at 63.218.13.10 — both public monitors covering the global BGP routing table. This means a Power Automate flow can react to BGP route flaps in real time: detect a route change in Singapore, correlate it to a wire transfer outage, post an Adaptive Card to Teams, open a ServiceNow incident, and pipe the event into Cisco XDR — all in under 10 seconds.
Wiring to Microsoft Defender XDR & Cisco XDR — the security story
This is where the project becomes a SOC accelerator. The same connector that powers NetOps flows also feeds two XDR platforms for security correlation. Here's how each one works.
🛡️ Microsoft Defender XDR integration
Defender XDR ingests "custom events" via the Microsoft Sentinel Data Connector for REST APIs or via the Defender XDR Custom Detection framework. The pattern:
ListAlerts on the ThousandEyes connector with state=active.GetAlert for full context, then FilterOutages to attribute the cause (Cloudflare? AWS? our app?).Microsoft Sentinel connector → Send Data to Log Analytics Workspace with a custom table ThousandEyes_Alerts_CL. Defender XDR auto-correlates with identity, endpoint, and email signals.🛡️ Cisco XDR integration
Cisco XDR ingests external observations via the Cisco XDR Incidents API (formerly SecureX). The pattern:
ListAlerts. For CRITICAL severity only, branch into the XDR push.network-observable, disposition suspicious, target_observables include affected URLs and ASNs.https://visibility.amp.cisco.com/iroh/iroh-int/incident with OAuth Bearer token. XDR creates an incident linked to the affected assets.The auth puzzle that almost broke everything
Here's where most engineering blog posts say "...and it just worked!"
It absolutely did not just work.
Power Platform's on-premises data gateway has a fundamental limitation: when "Connect via on-premises data gateway" is enabled, the auth dropdown drops from five options to three. API Key disappears. OAuth disappears. Only Basic and Windows remain. But ThousandEyes uses Bearer tokens. So how do you bridge them?
The Basic Auth Wrapper trick — 8 lines of code in the simulator:
// auth.js — the 8 lines that solved the puzzle if (authHeader.startsWith('Basic ')) { const b64 = authHeader.substring(6); const decoded = Buffer.from(b64, 'base64').toString('utf8'); const colonIdx = decoded.indexOf(':'); // Username is ignored. Password IS the bearer token. token = decoded.substring(colonIdx + 1); }
Power Platform sends Basic auth ✅ Gateway accepts it ✅ Simulator extracts the token ✅ Same security as Bearer auth ✅ Zero loss, full gateway compatibility.
When migrating to production, flip the connector's securityDefinitions from basic to apiKey and point at api.thousandeyes.com. Same connector. Same 30 operations. Same flows. Different security envelope.
The 11 cliffs I fell off (so you don't have to)
| # | Cliff | Time lost | Documented fix |
|---|---|---|---|
| 1 | Phantom API Key dropdown (gateway limitation) | 90 min | Basic auth wrapper |
| 2 | v1.0 simulator couldn't decode Basic auth | 120 min | Multi-auth auth.js (v3.0) |
| 3 | 127.0.0.1 binding blocks gateway | 60 min | HOST=0.0.0.0 |
| 4 | Firewall Public profile silently fails | 45 min | Domain profile only |
| 5 | Tokens regenerate on every restart | 30 min | PERSIST_FILE env |
| 6 | Route ordering: /alerts/rules vs /alerts/:id | 45 min | Specific routes first |
| 7 | SQL JOIN unsupported in micro-parser | 30 min | JS-side lookups |
| 8 | Closure bug in WHERE clause | 20 min | Scope argIdx per row |
| 9 | activeAlerts: undefined from COUNT | 20 min | .get().c |
| 10 | Token format ambiguity (Bearer vs raw) | 30 min | Big red callouts in guide |
| 11 | Power Platform connector cache | 15 min | Wait 5 min between delete & recreate |
Three Microsoft AI surfaces, one connector
💼 Power Automate — event-driven flows
The killer flow: Alert Notifier. Polls ListAlerts every 5 min, severity-filtered Adaptive Cards to Teams, CRITICAL alerts → ServiceNow incident, plus parallel pushes to Defender XDR and Cisco XDR. One flow replaces 90% of NOC triage.
🎨 Power Apps — live operations dashboard
The killer screen: Network Health. Canvas App showing every test as a green/orange/red tile. Tap to drill into GetHttpTestResults. World-map gallery of agents pulling from ListAgents. The on-call engineer's home screen.
🤖 Copilot Studio — natural language agent
The killer agent: NetOps Assistant. Generative orchestration with all 30 operations as tools. System prompt teaches it to start with inventory, drill into specific tests, attribute outages via Internet Insights, and propose remediations without claiming to apply them. Sarah asks "is wire transfer healthy?" — gets a real answer in 3 seconds.
Lab → production journey
Building it on your laptop is easy. Promoting it to a regulated production environment is where engineering happens.
| Week | Environment | Auth | Backend |
|---|---|---|---|
| 1 | LAB | Basic auth wrapper | Local simulator via on-prem gateway |
| 2 | UAT | API Key (Bearer) | ThousandEyes Cloud trial — your real agents in AWS/Azure |
| 3 | PROD | API Key (Bearer) | Real ThousandEyes Cloud with full alert routing |
The flows don't change. Power Apps doesn't change. The Copilot Studio agent doesn't change. Only the connection reference changes. That's solution-aware deployment done right.
For Cisco hiring managers & recruiters
If you're at Cisco — particularly on ThousandEyes, XDR, Webex, Meraki, Umbrella, Duo, or DevNet — and you're looking for engineers who build the integrations your customers actually want, here's what this project says about how I work:
🧠 Technical depth
- Cisco ecosystem: ThousandEyes v7 API · XDR CTIM model · Enterprise Agent AWS/Azure/on-prem deployment
- Microsoft Power Platform: Custom connectors · on-prem gateway · Copilot Studio · solution-aware deployment · DLP
- Security operations: Defender XDR custom detections · Sentinel Log Analytics · Cisco XDR incident creation
- Full-stack: Node.js · Express · WebSocket · SQL parser · Docker · Windows services
- Network engineering: BGP path analysis · NAT / proxy configurations · firewall rule design
🛠️ Engineering rigor
- First-of-its-kind delivery: Researched the gap, designed the solution, shipped working code in a weekend
- Beginner-grade docs: 14-part guide with SVG screenshots — junior engineers ship in 30 min
- 11 cliff post-mortems: Every failure analyzed, fixed, documented. Future engineers don't repeat my mistakes.
- Production-grade deliverables: Simulator with PNC-themed seed data, lab→prod migration path, XDR integration patterns
- Cross-portfolio thinking: Not "build a connector" — "build the bridge between two ecosystems most users straddle"
My background: Ex-Cisco. Currently Senior Infrastructure & Security Engineer at a major US bank. Specialized in AI-powered automation and the Microsoft × Cisco overlap. 8 years between these two ecosystems — fluent in both.
💼 Connect on LinkedIn 🐙 View the Repo 📝 More engineering posts
The code is yours
The entire project — simulator, connector, guide, the works — is on GitHub. MIT licensed. Production-tested. 11 cliffs documented.
What's in the repo
| File | Purpose | Download |
|---|---|---|
| thousandeyes-simulator.zip | Node.js simulator (v3.0 multi-auth). Run with npm start. | ⬇️ Download |
| thousandeyes-connector.yaml | OpenAPI 2.0 spec, 30 operations. Import to Power Platform. | ⬇️ Download |
| COMPLETE-BEGINNER-GUIDE.html | 14-part walkthrough with SVG screenshots. | ⬇️ Download |
| deployment/aws-enterprise-agent.md | How to deploy ThousandEyes Enterprise Agent in AWS. | 🔗 View |
| deployment/azure-enterprise-agent.md | How to deploy ThousandEyes Enterprise Agent in Azure. | 🔗 View |
| xdr/defender-xdr-flow.json | Power Automate template — alerts → Sentinel Log Analytics. | 🔗 View |
| xdr/cisco-xdr-flow.json | Power Automate template — alerts → Cisco XDR incidents. | 🔗 View |
🚀 Grab it now — start shipping in 30 minutes
Clone the whole repo, extract the simulator, import the connector, configure your on-prem gateway. By tonight you'll have ThousandEyes alerts posting to Microsoft Teams and a Copilot agent answering "is wire transfer healthy?" in 4 seconds.
What's next: the connector portfolio
The connector pattern extends across the entire Cisco portfolio:
- Cisco Meraki connector — Dashboard API for cloud-managed networks
- Cisco Umbrella connector — DNS security telemetry → Defender XDR / Sentinel
- Cisco Duo connector — MFA event correlation with Sentinel UEBA
- Cisco Webex Control Hub connector — Device health and call quality from Teams
- Cisco XDR + Defender XDR fusion agent — One Copilot agent that knows your entire Cisco + Microsoft security estate
Write the connector once. Wire it into Teams, Power Apps, and Copilot Studio. That's the real promise — and we're still in the first inning.
If this saved you from a 40-minute war room at 9 AM,
please ⭐ the repo so the next NOC engineer can find it.
Made with ☕, 🐍, and the conviction that nobody should have to manually pivot between five tools.
Comments
Post a Comment